{"id":"eec649f3-3339-4b91-b49b-74e64bf85b1b","shortId":"az3V6d","kind":"skill","title":"dependency-management","tagline":"Manage third-party libraries, runtimes, and SaaS dependencies. Use this skill when setting an update cadence, responding to security advisories, dealing with deprecated dependencies, evaluating new dependencies, auditing what's installed, or unblocking a dependency upgrade. Trigg","description":"# Dependency Management\n\nDecide what to depend on, keep dependencies current, respond to advisories, and reduce supply chain risk. Stack-agnostic principles; specifics vary by package manager.\n\n---\n\n## When to use\n\n- Setting up dependency hygiene for a new or existing project\n- Responding to a security advisory\n- Major version upgrade of a key dependency\n- Adding a new dependency (evaluation, decision)\n- Removing a dependency (cleanup)\n- Audit of what's installed and what's actually used\n- Setting an update cadence and policy\n- Diagnosing a broken build after an update\n\n## When NOT to use\n\n- General code review (use `code-review-web`)\n- Vulnerability scanning of infrastructure (use `security-baseline`)\n- Pinning vendor or service contracts (use `vendor-evaluation`)\n- Performance impact of dependencies (use `performance-optimization`)\n\n---\n\n## Required inputs\n\n- Package manager and lockfile in use (npm, yarn, pnpm, pip, gem, composer, etc.)\n- Current dependency list (production and dev)\n- Current advisories (run audit; check service like Snyk, Dependabot)\n- Update history (when were major dependencies last updated)\n- Risk profile (production criticality, change tolerance)\n\n---\n\n## The framework: 4 categories of dependency\n\nEvery dependency falls into one of these. The category drives the policy.\n\n### Category 1: Critical runtime\n\nCode that runs in production and would break the system if it failed.\n\nExamples: framework, database driver, payment SDK, authentication library.\n\nPolicy:\n- **Update cadence:** monthly minor, quarterly major (with planning)\n- **Security:** patch within 24-72 hours of advisory, 24h for critical\n- **Pinning:** exact version pins or narrow ranges\n- **Vetting:** thoroughly evaluated before adoption\n\n### Category 2: Supporting runtime\n\nCode that runs in production but is replaceable or non-critical.\n\nExamples: utility libraries, formatting, non-core integrations.\n\nPolicy:\n- **Update cadence:** monthly together with critical\n- **Security:** patch within a week of advisory\n- **Pinning:** narrow ranges acceptable (e.g., `^1.2.3`)\n- **Vetting:** moderate evaluation; alternatives considered\n\n### Category 3: Dev/build\n\nCode that runs only during development or build, not in production.\n\nExamples: bundlers, linters, test frameworks, type checkers.\n\nPolicy:\n- **Update cadence:** quarterly\n- **Security:** patch within a week (still matters; supply chain attacks target build tools)\n- **Pinning:** ranges acceptable\n- **Vetting:** lighter; broken dev tools surface fast\n\n### Category 4: Optional/dev-only-personal\n\nTools individual developers use that aren't part of shared dev environment.\n\nNot really managed at the project level. Mentioned for completeness.\n\n---\n\n## The framework: 5 risk dimensions\n\nWhen evaluating a dependency, consider:\n\n### Dimension 1: Maintenance health\n\n- Last commit date (months ago is concerning)\n- Open issue count and age\n- Number of maintainers\n- Sponsorship or commercial backing\n- Roadmap visibility\n\nA dependency abandoned a year ago is a liability waiting to surface.\n\n### Dimension 2: Surface area\n\n- Size of the package\n- Number of transitive dependencies\n- Footprint in the bundle (for client-side)\n- Privileges required (file system, network, etc.)\n\nA small dependency that pulls in 50 transitive packages has the surface area of all 50.\n\n### Dimension 3: Replaceability\n\n- How hard would it be to remove?\n- Are there alternatives?\n- Could the functionality be implemented in-house?\n- Is the API standard or idiomatic?\n\nA dependency you can't replace is leverage you've granted to its maintainer.\n\n### Dimension 4: Trust\n\n- Reputation of the maintainer or organization\n- Code quality (skim the source)\n- License (GPL, MIT, BSD, proprietary, none)\n- History of security issues\n- Supply chain practices (signed releases, 2FA on publishes)\n\n### Dimension 5: Cost\n\n- Time to evaluate, integrate, maintain\n- Risk of breaking changes\n- Lockfile entropy\n- Potential security exposure\n- Bundle size impact (for client-side)\n\nEvery dependency has a cost. Free packages aren't free.\n\n---\n\n## Workflow\n\n### Step 1: Inventory\n\nRun a dependency listing:\n\n```bash\n# npm/yarn/pnpm\nnpm ls --all --json\n\n# pip\npip list\n\n# gem  \nbundle list\n```\n\nFor each top-level dependency, categorize (critical / supporting / dev). For transitives, you generally don't manage individually unless one becomes a problem.\n\n### Step 2: Audit\n\nRun the security audit:\n\n```bash\nnpm audit\nyarn audit\npip-audit\nbundle audit\n```\n\nFor each finding:\n- Severity (critical, high, medium, low)\n- Package and version\n- Fix available?\n- Used directly or transitively?\n\n### Step 3: Categorize and prioritize\n\n| Severity | Direct dep | Indirect dep |\n|---|---|---|\n| Critical | Patch today | Patch this week (if a fix exists; track if not) |\n| High | Patch this week | Patch this month |\n| Medium | Patch this month | Track; patch with next round |\n| Low | Track | Track |\n\nCritical and high in production code are emergencies. Low and medium are scheduled work.\n\n### Step 4: Test before merging fixes\n\nEven patch-level updates can break things. For critical dependencies:\n- Run the full test suite\n- Smoke-test in staging\n- Watch the monitoring after rollout\n\nFor supporting and dev:\n- Run the test suite\n- A failed test is OK to investigate; don't merge a known-broken update\n\n### Step 5: Plan major version upgrades\n\nMajor versions break things. Plan rather than rush.\n\nFor each major upgrade:\n- Read the changelog and migration guide\n- Estimate the migration effort\n- Schedule the work (don't do it under deadline pressure)\n- Branch and test thoroughly\n- Plan a staged rollout if it's a critical dependency\n\nDon't sit on major versions indefinitely. The longer you wait, the more painful the upgrade.\n\n### Step 6: Set the policy\n\nDocument:\n- Update cadence (e.g., monthly review, quarterly upgrades)\n- Security response SLA (e.g., critical within 24h)\n- Approval for new dependencies (who signs off)\n- Removal criteria (when do we drop a dependency)\n- Pinning strategy (exact, narrow range, broad range)\n\nThe policy is what survives team turnover. Without it, dependency management becomes chaotic ad hoc work.\n\n### Step 7: Automate\n\n- **Renovate** or **Dependabot** for automatic update PRs\n- CI runs audit on every PR\n- Block merges on critical advisories (with override path for false positives)\n- Notify on advisories for installed packages\n- Lockfile diff in PR review\n\nAutomation reduces toil. Manual checking doesn't scale.\n\n### Step 8: Audit usage periodically\n\nQuarterly:\n- Dependencies installed but not imported anywhere (run a tool like `depcheck`)\n- Major versions behind (more than 1-2 majors behind = upgrade plan needed)\n- Unmaintained packages (last commit over a year ago = consider replacing)\n- License audit (anything that's changed terms?)\n\nRemove what's not used. Replace what's unmaintained.\n\n---\n\n## New dependency evaluation\n\nBefore adding a new dependency, answer:\n\n- [ ] What problem does this solve?\n- [ ] Could we solve it without a dependency? (Often yes for small problems.)\n- [ ] What alternatives exist?\n- [ ] Is the package actively maintained?\n- [ ] What's the install size and bundle impact?\n- [ ] What are the transitive dependencies? (Worth a quick scan.)\n- [ ] What's the license?\n- [ ] What's the security history?\n- [ ] How replaceable is it?\n\nDefault: don't add. Add only when the value clearly exceeds the cost. The cost includes ongoing maintenance, not just installation.\n\n---\n\n## Dependency removal\n\nWhen removing a dependency:\n\n- [ ] Identify all usages (search the codebase)\n- [ ] Replace each usage (with native code, another dependency, or a no-op)\n- [ ] Remove from package.json or equivalent\n- [ ] Update lockfile (run install)\n- [ ] Verify tests pass\n- [ ] Verify build size went down (or stayed the same)\n- [ ] Document the removal in the changelog\n\nRemoved dependencies sometimes leave config files, CI hooks, or imports behind. Search broadly.\n\n---\n\n## Failure patterns\n\n**No update cadence.** Dependencies drift. When you finally upgrade, it's painful. Set a cadence.\n\n**Audit disabled in CI.** \"Too noisy.\" Tune the audit, don't disable it. Whitelist known false positives explicitly.\n\n**Pinning everything to exact versions.** Stops automatic patches. Misses security fixes. Use narrow ranges with a lockfile.\n\n**Unpinned floating versions.** `latest` in production. Builds aren't reproducible. Lockfile required.\n\n**Adding dependencies without review.** \"I just needed a quick utility.\" Now there are 50 unused dependencies. Require review for new dependencies.\n\n**Ignoring transitive dependencies.** A direct dependency pulls in 50 indirect ones. Each is supply chain surface. Audit the tree, not just the top level.\n\n**Patching with major version bumps.** \"Updating to fix a bug\" but the update is a major version. Now you have unrelated breaking changes too. Be deliberate about the version of the fix.\n\n**Vendor-bundled libraries.** Some dependencies vendor copies of other dependencies. They're not visible to the audit. Periodically check.\n\n**Build-time dependencies treated as zero-risk.** Build tools have access to your code and credentials. Supply chain attacks target them. Treat with appropriate care.\n\n**Fork without rebase plan.** Forking a dependency to fix something. Then you own it. Plan how to rebase or merge upstream changes, or commit to maintaining the fork.\n\n**No license audit.** Project ships with a GPL dependency in a commercial product. Compliance issue. Audit licenses on add and quarterly.\n\n**Update PRs piling up.** Dependabot PRs go unmerged for months. Either tune to fewer PRs or commit time to merging them.\n\n---\n\n## Output format\n\nA dependency policy document includes:\n\n- **Inventory:** current dependencies by category\n- **Audit status:** open advisories, severity, plan\n- **Policies:** cadence, SLA, pinning, approval\n- **Tooling:** what's automated (Renovate, Dependabot, audit in CI)\n- **License audit:** any concerns\n- **Quarterly review schedule:** when this gets revisited\n\n---\n\n## Reference files\n\n- [`references/upgrade-checklist.md`](references/upgrade-checklist.md): Step-by-step checklist for performing a major version upgrade of a critical dependency, from changelog reading to staged rollout.","tags":["dependency","management","claude","skills","rampstackco","agent-skills","anthropic","awesome-claude-code","awesome-claude-prompts","awesome-claude-skills","claude-code","claude-skills"],"capabilities":["skill","source-rampstackco","skill-dependency-management","topic-agent-skills","topic-anthropic","topic-awesome-claude-code","topic-awesome-claude-prompts","topic-awesome-claude-skills","topic-claude","topic-claude-code","topic-claude-skills","topic-good-first-issue","topic-mcp","topic-product-management","topic-seo"],"categories":["claude-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/rampstackco/claude-skills/dependency-management","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add rampstackco/claude-skills","source_repo":"https://github.com/rampstackco/claude-skills","install_from":"skills.sh"}},"qualityScore":"0.540","qualityRationale":"deterministic score 0.54 from registry signals: · indexed on github topic:agent-skills · 181 github stars · SKILL.md body (10,254 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:55:14.985Z","embedding":null,"createdAt":"2026-04-30T01:01:27.938Z","updatedAt":"2026-05-18T18:55:14.985Z","lastSeenAt":"2026-05-18T18:55:14.985Z","tsv":"'-2':984 '-72':264 '1':227,416,603,983 '1.2.3':326 '2':284,453,645 '24':263 '24h':268,876 '2fa':564 '3':333,495,679 '4':210,381,536,735 '5':407,568,790 '50':484,493,1243,1259 '6':858 '7':916 '8':962 'abandon':442 'accept':324,372 'access':1339 'activ':1048 'actual':112 'ad':94,912,1020,1230 'add':1083,1084,1400 'adopt':282 'advisori':24,54,86,186,267,320,935,944,1439 'age':430 'agnost':62 'ago':423,445,997 'altern':330,506,1043 'anoth':1119 'answer':1024 'anyth':1002 'anywher':972 'api':517 'appropri':1352 'approv':877,1446 'area':455,490 'aren':388,598,1225 'attack':366,1347 'audit':32,104,188,646,650,653,655,658,660,927,963,1001,1183,1191,1267,1324,1384,1397,1436,1453,1457 'authent':249 'autom':917,953,1450 'automat':922,1207 'avail':673 'back':437 'baselin':146 'bash':609,651 'becom':641,910 'behind':980,986,1163 'block':931 'branch':827 'break':237,577,746,797,1296 'broad':897,1165 'broken':122,375,787 'bsd':552 'bug':1284 'build':123,342,368,1139,1224,1328,1336 'build-tim':1327 'bump':1279 'bundl':467,584,619,659,1056,1309 'bundler':347 'cadenc':20,117,253,309,355,864,1170,1182,1443 'care':1353 'categor':627,680 'categori':211,222,226,283,332,380,1435 'chain':58,365,560,1265,1346 'chang':206,578,1005,1297,1375 'changelog':809,1152,1487 'chaotic':911 'check':189,957,1326 'checker':352 'checklist':1475 'ci':925,1159,1186,1455 'cleanup':103 'clear':1089 'client':470,589 'client-sid':469,588 'code':132,136,230,287,335,544,725,1118,1342 'code-review-web':135 'codebas':1112 'commerci':436,1393 'commit':420,993,1377,1419 'complet':404 'complianc':1395 'compos':177 'concern':425,1459 'config':1157 'consid':331,414,998 'contract':151 'copi':1314 'core':305 'cost':569,595,1092,1094 'could':507,1030 'count':428 'credenti':1344 'criteria':885 'critic':205,228,270,298,313,628,665,688,720,749,839,874,934,1484 'current':51,179,185,1432 'databas':245 'date':421 'deadlin':825 'deal':25 'decid':44 'decis':99 'default':1080 'deliber':1300 'dep':685,687 'depcheck':977 'depend':2,12,28,31,39,42,47,50,74,93,97,102,159,180,199,213,215,413,441,463,480,522,592,607,626,750,840,880,891,908,967,1017,1023,1036,1062,1101,1106,1120,1154,1171,1231,1245,1250,1253,1256,1312,1317,1330,1360,1390,1427,1433,1485 'dependabot':193,920,1407,1452 'dependency-manag':1 'deprec':27 'dev':184,376,393,630,769 'dev/build':334 'develop':340,385 'diagnos':120 'diff':949 'dimens':409,415,452,494,535,567 'direct':675,684,1255 'disabl':1184,1194 'document':862,1147,1429 'doesn':958 'drift':1172 'drive':223 'driver':246 'drop':889 'e.g':325,865,873 'effort':816 'either':1413 'emerg':727 'entropi':580 'environ':394 'equival':1130 'estim':813 'etc':178,477 'evalu':29,98,155,280,329,411,572,1018 'even':740 'everi':214,591,929 'everyth':1202 'exact':272,894,1204 'exampl':243,299,346 'exceed':1090 'exist':80,697,1044 'explicit':1200 'exposur':583 'fail':242,775 'failur':1166 'fall':216 'fals':940,1198 'fast':379 'fewer':1416 'file':474,1158,1468 'final':1175 'find':663 'fix':672,696,739,1211,1282,1306,1362 'float':1219 'footprint':464 'fork':1354,1358,1381 'format':302,1425 'framework':209,244,350,406 'free':596,600 'full':753 'function':509 'gem':176,618 'general':131,634 'get':1465 'go':1409 'gpl':550,1389 'grant':531 'guid':812 'hard':498 'health':418 'high':666,701,722 'histori':195,555,1075 'hoc':913 'hook':1160 'hour':265 'hous':514 'hygien':75 'identifi':1107 'idiomat':520 'ignor':1251 'impact':157,586,1057 'implement':511 'import':971,1162 'in-hous':512 'includ':1095,1430 'indefinit':847 'indirect':686,1260 'individu':384,638 'infrastructur':142 'input':165 'instal':35,108,946,968,1053,1100,1134 'integr':306,573 'inventori':604,1431 'investig':780 'issu':427,558,1396 'json':614 'keep':49 'key':92 'known':786,1197 'known-broken':785 'last':200,419,992 'latest':1221 'leav':1156 'level':401,625,743,1274 'leverag':528 'liabil':448 'librari':8,250,301,1310 'licens':549,1000,1070,1383,1398,1456 'lighter':374 'like':191,976 'linter':348 'list':181,608,617,620 'lockfil':169,579,948,1132,1217,1228 'longer':849 'low':668,717,728 'ls':612 'maintain':433,534,541,574,1049,1379 'mainten':417,1097 'major':87,198,257,792,795,805,845,978,985,1277,1290,1479 'manag':3,4,43,68,167,397,637,909 'manual':956 'matter':363 'medium':667,708,730 'mention':402 'merg':738,783,932,1373,1422 'migrat':811,815 'minor':255 'miss':1209 'mit':551 'moder':328 'monitor':763 'month':254,310,422,707,711,866,1412 'narrow':276,322,895,1213 'nativ':1117 'need':989,1236 'network':476 'new':30,78,96,879,1016,1022,1249 'next':715 'no-op':1123 'noisi':1188 'non':297,304 'non-cor':303 'non-crit':296 'none':554 'notifi':942 'npm':172,611,652 'npm/yarn/pnpm':610 'number':431,460 'often':1037 'ok':778 'one':218,640,1261 'ongo':1096 'op':1125 'open':426,1438 'optim':163 'optional/dev-only-personal':382 'organ':543 'output':1424 'overrid':937 'packag':67,166,459,486,597,669,947,991,1047 'package.json':1128 'pain':854,1179 'part':390 'parti':7 'pass':1137 'patch':261,315,358,689,691,702,705,709,713,742,1208,1275 'patch-level':741 'path':938 'pattern':1167 'payment':247 'perform':156,162,1477 'performance-optim':161 'period':965,1325 'pile':1405 'pin':147,271,274,321,370,892,1201,1445 'pip':175,615,616,657 'pip-audit':656 'plan':259,791,799,831,988,1357,1368,1441 'pnpm':174 'polici':119,225,251,307,353,861,900,1428,1442 'posit':941,1199 'potenti':581 'pr':930,951 'practic':561 'pressur':826 'principl':63 'priorit':682 'privileg':472 'problem':643,1026,1041 'product':182,204,234,291,345,724,1223,1394 'profil':203 'project':81,400,1385 'proprietari':553 'prs':924,1404,1408,1417 'publish':566 'pull':482,1257 'qualiti':545 'quarter':256,356,868,966,1402,1460 'quick':1065,1238 'rang':277,323,371,896,898,1214 'rather':800 're':1319 'read':807,1488 'realli':396 'rebas':1356,1371 'reduc':56,954 'refer':1467 'references/upgrade-checklist.md':1469,1470 'releas':563 'remov':100,503,884,1007,1102,1104,1126,1149,1153 'renov':918,1451 'replac':294,496,526,999,1012,1077,1113 'reproduc':1227 'reput':538 'requir':164,473,1229,1246 'respond':21,52,82 'respons':871 'review':133,137,867,952,1233,1247,1461 'revisit':1466 'risk':59,202,408,575,1335 'roadmap':438 'rollout':765,834,1491 'round':716 'run':187,232,289,337,605,647,751,770,926,973,1133 'runtim':9,229,286 'rush':802 'saa':11 'scale':960 'scan':140,1066 'schedul':732,817,1462 'sdk':248 'search':1110,1164 'secur':23,85,145,260,314,357,557,582,649,870,1074,1210 'security-baselin':144 'servic':150,190 'set':17,72,114,859,1180 'sever':664,683,1440 'share':392 'ship':1386 'side':471,590 'sign':562,882 'sit':843 'size':456,585,1054,1140 'skill':15 'skill-dependency-management' 'skim':546 'sla':872,1444 'small':479,1040 'smoke':757 'smoke-test':756 'snyk':192 'solv':1029,1032 'someth':1363 'sometim':1155 'sourc':548 'source-rampstackco' 'specif':64 'sponsorship':434 'stack':61 'stack-agnost':60 'stage':760,833,1490 'standard':518 'status':1437 'stay':1144 'step':602,644,678,734,789,857,915,961,1472,1474 'step-by-step':1471 'still':362 'stop':1206 'strategi':893 'suit':755,773 'suppli':57,364,559,1264,1345 'support':285,629,767 'surfac':378,451,454,489,1266 'surviv':903 'system':239,475 'target':367,1348 'team':904 'term':1006 'test':349,736,754,758,772,776,829,1136 'thing':747,798 'third':6 'third-parti':5 'thorough':279,830 'time':570,1329,1420 'today':690 'togeth':311 'toil':955 'toler':207 'tool':369,377,383,975,1337,1447 'top':624,1273 'top-level':623 'topic-agent-skills' 'topic-anthropic' 'topic-awesome-claude-code' 'topic-awesome-claude-prompts' 'topic-awesome-claude-skills' 'topic-claude' 'topic-claude-code' 'topic-claude-skills' 'topic-good-first-issue' 'topic-mcp' 'topic-product-management' 'topic-seo' 'track':698,712,718,719 'transit':462,485,632,677,1061,1252 'treat':1331,1350 'tree':1269 'trigg':41 'trust':537 'tune':1189,1414 'turnov':905 'type':351 'unblock':37 'unless':639 'unmaintain':990,1015 'unmerg':1410 'unpin':1218 'unrel':1295 'unus':1244 'updat':19,116,126,194,201,252,308,354,744,788,863,923,1131,1169,1280,1287,1403 'upgrad':40,89,794,806,856,869,987,1176,1481 'upstream':1374 'usag':964,1109,1115 'use':13,71,113,130,134,143,152,160,171,386,674,1011,1212 'util':300,1239 'valu':1088 'vari':65 've':530 'vendor':148,154,1308,1313 'vendor-bundl':1307 'vendor-evalu':153 'verifi':1135,1138 'version':88,273,671,793,796,846,979,1205,1220,1278,1291,1303,1480 'vet':278,327,373 'visibl':439,1321 'vulner':139 'wait':449,851 'watch':761 'web':138 'week':318,361,693,704 'went':1141 'whitelist':1196 'within':262,316,359,875 'without':906,1034,1232,1355 'work':733,819,914 'workflow':601 'worth':1063 'would':236,499 'yarn':173,654 'year':444,996 'yes':1038 'zero':1334 'zero-risk':1333","prices":[{"id":"ffe05be0-2f4f-4182-b03f-1dbd48b235f5","listingId":"eec649f3-3339-4b91-b49b-74e64bf85b1b","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"rampstackco","category":"claude-skills","install_from":"skills.sh"},"createdAt":"2026-04-30T01:01:27.938Z"}],"sources":[{"listingId":"eec649f3-3339-4b91-b49b-74e64bf85b1b","source":"github","sourceId":"rampstackco/claude-skills/dependency-management","sourceUrl":"https://github.com/rampstackco/claude-skills/tree/main/skills/dependency-management","isPrimary":false,"firstSeenAt":"2026-04-30T01:01:27.938Z","lastSeenAt":"2026-05-18T18:55:14.985Z"}],"details":{"listingId":"eec649f3-3339-4b91-b49b-74e64bf85b1b","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"rampstackco","slug":"dependency-management","github":{"repo":"rampstackco/claude-skills","stars":181,"topics":["agent-skills","anthropic","awesome-claude-code","awesome-claude-prompts","awesome-claude-skills","claude","claude-code","claude-skills","good-first-issue","mcp","product-management","seo","show-hn","showcase","showdev","web-design","web-development"],"license":"mit","html_url":"https://github.com/rampstackco/claude-skills","pushed_at":"2026-05-10T22:40:22Z","description":"Stack-agnostic Claude Skills covering the full website lifecycle: brand, design, content, SEO, dev, ops, growth, and research. Build, ship, audit, optimize.","skill_md_sha":"4ea6220f219b677a3a115835ff798a58350a94b3","skill_md_path":"skills/dependency-management/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/rampstackco/claude-skills/tree/main/skills/dependency-management"},"layout":"multi","source":"github","category":"claude-skills","frontmatter":{"name":"dependency-management","description":"Manage third-party libraries, runtimes, and SaaS dependencies. Use this skill when setting an update cadence, responding to security advisories, dealing with deprecated dependencies, evaluating new dependencies, auditing what's installed, or unblocking a dependency upgrade. Triggers on dependency, package update, security patch, lockfile, deprecated, breaking change, supply chain, dependency audit, npm audit, dependabot, renovate. Also triggers when a build breaks after an update or when an advisory is published for a used package."},"skills_sh_url":"https://skills.sh/rampstackco/claude-skills/dependency-management"},"updatedAt":"2026-05-18T18:55:14.985Z"}}